From owner-freebsd-security@FreeBSD.ORG Tue Apr 5 21:33:57 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 060A8106564A for ; Tue, 5 Apr 2011 21:33:57 +0000 (UTC) (envelope-from lynx.ripe@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id B2B1E8FC17 for ; Tue, 5 Apr 2011 21:33:56 +0000 (UTC) Received: by qyk35 with SMTP id 35so2114415qyk.13 for ; Tue, 05 Apr 2011 14:33:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=BNErryo/k8EqGwLWeFf5bct+P1YHUiEzyAVBEPFMEp8=; b=u+PZXLMMaCkz/Wl7MKqgeWvThHaY+7HjiHqivbgK4gFLAMMRBom2gQ5IeXsQbwYSnR BKz4fpGBm7rLU/+wdRi/OKnm/8M67dJHZ+JCcM4fXPecZjjWxLxr7SwktSOLzlPzTCyw FOUVtWP9x1075byWZL3WUUWjhGddsmFFeCdVM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=F/nCstrSX0jGQfKodciAcmFxmsD6g+a0smY+vF0vJoWSpNPeUwopuo5KAglSmYe4BU nAdL6qpXEh1Bu5D7M66RNlJ/TTwUNl84K3/o3zgp/MMmaXwUpydprK+18nhHs9noGs0D D20hoebZMt7PEcLka5zx7ZHlR1rL4HtpedUe4= MIME-Version: 1.0 Received: by 10.229.28.68 with SMTP id l4mr169680qcc.93.1302037910378; Tue, 05 Apr 2011 14:11:50 -0700 (PDT) Received: by 10.229.183.81 with HTTP; Tue, 5 Apr 2011 14:11:50 -0700 (PDT) In-Reply-To: References: Date: Wed, 6 Apr 2011 00:11:50 +0300 Message-ID: From: Dmytro Pryanyshnikov To: =?ISO-8859-1?B?SXN0duFu?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2011 21:33:57 -0000 Hello! On Fri, Apr 1, 2011 at 5:33 PM, Istv=E1n wrote: > Could somebody explain to me how is it possible to ship an operating syst= em > without testing basic functionality like SSL working? Unfortunately the > problem is still there after installing the following port: > > /usr/ports/security/ca_root_nss > > openssl s_client -connect 72.21.203.148:443 /dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:' Verify return code: 20 (unable to get local issuer certificate) dmitry@lynx$ openssl s_client -CAfile /usr/local/share/certs/ca-root-nss.crt -connect 72.21.203.148:443 2>/dev/null < /dev/null |egrep '^[[:space:]]*Verify return code:' Verify return code: 0 (ok) So it looks like /etc/ssl/cert.pem link just isn't "magic enough" to be used by the ''openssl s_client" command by default (without -CAfile command line argument). Alas, both openssl(1) and s_client(1) lack FILES section so it's unclear whether default value for -CAfile can be specified in some configuration file. Moreover, openssl(1) refers to config(5), but 'man 5 config' tells about the FreeBSD kernel config, not OpenSSL's one. But yes, installing security/ca_root_nss port _and_ specifying '-CAfile /usr/local/share/certs/ca-root-nss.crt' seems to solve your problem. --=20 Sincerely, Dmytro